Database crash with invalid geoJSON input
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | postgis (Debian) |
Fix Released
|
Unknown
|
||
| | postgis (Ubuntu) |
Medium
|
Unassigned | ||
| | Trusty |
Undecided
|
Unassigned | ||
| | Utopic |
Undecided
|
Unassigned | ||
| | Vivid |
Medium
|
Unassigned | ||
Bug Description
As reported upstream:
http://
Malformed geoJSON data can kill the database process. This functionality exists in trusty, utopic and vivid.
A fix has been prepared in debian unstable - an unblock request for jessie was requested:
https:/
| Changed in postgis (Debian): | |
| status: | Unknown → Confirmed |
| Changed in postgis (Ubuntu): | |
| status: | New → Confirmed |
| importance: | Undecided → Medium |
| information type: | Private Security → Public Security |
| Steve Beattie (sbeattie) wrote : | #1 |
| Johan Van de Wauw (johanvdw) wrote : | #2 |
I don't think there is a CVE number. I asked in the upstream bugtracker to be sure.
| Johan Van de Wauw (johanvdw) wrote : | #3 |
| Johan Van de Wauw (johanvdw) wrote : | #4 |
The attachment "vivid debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.
[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]
| tags: | added: patch |
| Johan Van de Wauw (johanvdw) wrote : | #6 |
| Changed in postgis (Debian): | |
| status: | Confirmed → Fix Released |
| Marc Deslauriers (mdeslaur) wrote : | #7 |
ACK on the debdiffs. I've uploaded them for building with a slight modification to the changelog to make it more consistent with our other security updates.
Security updates will be released once they've built.
Thanks!
| Changed in postgis (Ubuntu Trusty): | |
| status: | New → Fix Committed |
| Changed in postgis (Ubuntu Utopic): | |
| status: | New → Fix Committed |
| Changed in postgis (Ubuntu Vivid): | |
| status: | Confirmed → Fix Committed |
| Launchpad Janitor (janitor) wrote : | #8 |
This bug was fixed in the package postgis - 2.1.5+dfsg-
---------------
postgis (2.1.5+
* SECURITY UPDATE: crash of the database backend process when given
invalid GeoJSON data (LP: #1438875)
- debian/
release, taken from debian patch by Markus Wanner.
- No CVE number
-- Johan Van de Wauw <email address hidden> Wed, 01 Apr 2015 19:53:13 +0200
| Changed in postgis (Ubuntu Vivid): | |
| status: | Fix Committed → Fix Released |
| Launchpad Janitor (janitor) wrote : | #9 |
This bug was fixed in the package postgis - 2.1.3+dfsg-
---------------
postgis (2.1.3+
* SECURITY UPDATE: crash of the database backend process when given
invalid GeoJSON data (LP: #1438875)
- debian/
release, taken from debian patch by Markus Wanner.
- No CVE number
-- Johan Van de Wauw <email address hidden> Wed, 01 Apr 2015 19:53:13 +0200
| Changed in postgis (Ubuntu Utopic): | |
| status: | Fix Committed → Fix Released |
| Launchpad Janitor (janitor) wrote : | #10 |
This bug was fixed in the package postgis - 2.1.2+dfsg-
---------------
postgis (2.1.2+
* SECURITY UPDATE: crash of the database backend process when given
invalid GeoJSON data (LP: #1438875)
- debian/
release, taken from debian patch by Markus Wanner.
- No CVE number
-- Johan Van de Wauw <email address hidden> Wed, 01 Apr 2015 21:29:10 +0200
| Changed in postgis (Ubuntu Trusty): | |
| status: | Fix Committed → Fix Released |
Since the debian bug and the upstream bug report are public, there's no point in keeping this bug report private, so I've made it public as well. Has a CVE been assigned for this issue?